Making online transactions more secure

Billions of online transactions occur every day, and the numbers are growing. An estimated $8 trillion was exchanged over wired and wireless networks last year. Purdue researchers want to ensure that consumers have confidence in the security of those transactions and don’t fall prey to cybercrime.

Through a grant from the U.S. National Strategy for Trusted Identities in Cyberspace (NSTIC) to Daon, a provider of identity management and authentication solutions, a team led by Stephen Elliott, associate professor of technology leadership & innovation, will test Daon’s IdentityX technology, which operates across multiple platforms to improve user authentication methods. Other participants on the project include PayPal, AARP, the American Association of Airport Executives (AAAE) and a major bank.

The project focuses on improving the privacy, security and convenience of sensitive online transactions, a critical need in today’s growing digital world. The Purdue team combines expertise from four different Purdue units: the Biometric Standards, Performance and Assurance Laboratory (BSPA); the Cyber Center at Discovery Park; the Center for Education and Research in Information Assurance and Security (CERIAS); and the Information Technology at Purdue (ITaP) division.

“We combine expertise in biometric testing, cyber security, privacy and practical real-world information technology,” said Elliott, who is working with Elisa Bertino, professor of computer science and director of the Cyber Center. The IdentityX pilot project will look at the end user’s mobile phone or tablet and different combinations of security options to provide various levels of identity assurance. Identity can be verified using multiple authentication methods including proof of possession of the phone, digital certificate, PIN/password, geolocation, out-of-band, and voice and facial recognition.

For a simple transaction with low risk, such as transferring a small sum between bank accounts, identity verification could require just phone possession plus a PIN entry. Higher-risk transactions, such as transferring large sums, could require PIN and face and voice matching along with GPS to confirm the user’s location. The Purdue research will focus on investigating the performance of novel biometric approaches as well as on analyzing data security and privacy of identity management in mobile distributed systems.

Elliott says that although this is the first formal partnership with Daon, representatives from the company have served as part of BSPA’s Industry Advisory Board and provided student mentorship opportunities.